* Remove email placeholder
The current placeholder is confusing to users and results in many trying
to login with their username. The change in this PR hopefully decreases that
confusion.
According to UX recommendations, we have decided to remove the email placeholder for the form. It seems placeholders tend to just confuse the users.
TNL-7053
The courseware_api view will use check_course_access - which now returns AccessResponse objects, and all other uses of check_course_access will now use check_course_access_with_redirect, which is a drop-in replacement for the original check_course_access implementation.
We also added a few new helpers to access_utils:
- check_public_access is a replacement for allow_public_access, which now returns AccessResponse objects
- check_enrollment checks if the learner is enrolled, and uses check_public_access to account for COURSE_ENABLE_UNENROLLED_ACCESS_FLAG
- check_survey checks whether there is a required survey that the learner must complete prior to accessing the course.
There are two new kinds of AccessError subclasses:
- SurveyRequiredAccessError
- EnrollmentRequiredAccessError
There was an issue where external LMS system (e.g. Canvas, Blackboard) that used Open edX LTI Provider calls had cookies blocked. This update fixes this issue by defining third-party cookies to have attributes of `Secure=True` and `SameSite=None`.
Details here: https://discuss.openedx.org/t/lti-xblock-and-samesite/759/5
(cherry picked from commit 28479a2966b87b16a25dbc96c19b6f5817d255de)
Prepare to upgrade to django-oauth-toolkit (module name oauth2_provider) 1.3.2 concurrently with the Django 2.2 upgrade (versions after 1.1.3 dropped support for Django 1.11). Key points:
* We can stop using a commit hash since versions 1.3.0 through 1.3.2 have been released since that commit.
* The validator in oauth_dispatch migration 0002 has been removed from DOT, but the whole table was removed in migration 0004 anyway. Newer DOT versions moved where redirect URI validation happens so it's no longer needed here.
* DOT 1.3.0 squashed its original 6 migrations and immediately deleted them. This required some changes in oauth_dispatch migrations 0006 and 0007 to deal with either numbering system.
When deploying to stage and production, we'll need to delete the history for oauth2_provider migrations 0002-0006 first (the new squashed 0001 migration has the same name as the original 0001). The deployment with DOT 1.3.2 will add a new 0002 migration which should then apply cleanly on the existing database state.
Should resolve https://openedx.atlassian.net/browse/BOM-1456 .
We now either pass in the relevant courseoverview or when creating the
enrollement we use the factory which automatically creates the relevant
CourseOverview object for testing purposes.
We were passing unstripped password value to `authenticate_new_user()`
after creating a user which was resulting in password mismatch and
was raising this error.
PROD-656
We weren’t using has_access to check user access, which meant we were missing out on a bunch of checks. This PR adds a local _check_access function to CoursewareInformation. Ideally we would add this into access.py, but we’re adding it here for now to avoid any unexpected regressions in editing more commonly used code. This should ultimately be folded into our access system properly.
TNL-7053
* Adding samesite cookie option in django 2.1 and above
Django 2.1 release note: Added the SESSION_COOKIE_SAMESITE setting to set the SameSite cookie flag on session cookies.
...and it turns out we don't need the switch anymore, anyway.
When we upgraded to Django 1.11, this flag was added in order to
allow for a database migration that would render the user table
unwriteable for up to half an hour:
https://github.com/edx/edx-platform/pull/17561
This involved swapping out the signal handler for logins via
`user_logged_in.disconnect(django_update_last_login)`, but with
Django 2.0, that disconnect is silently failing (returning
false). Likely the disconnect is now happening too soon.
(See edx-platform/common/djangoapps/student/apps.py line 21 in 61e1eda.)
The result is that by the time the waffle switch is consulted, the
normal handler has already run, and the user's last login date has
already been updated.
For now we're just removing the test, and have filed ARCHBOM-1084 for
followup (deleting the switch and related code).
